Acorn Newsbot
Junior Member
- Joined
- Jan 28, 2006
- Posts
- 22,602
- Reaction score
- 126
Three men are starting extended jail sentences this week after being convicted for their participation in what is thought to be the UK’s largest “phishing” scam ever. Inout Caraman, Adrian Iorgovean and Sunday Godday Etu each received terms of at least seven years in prison for their part in the plot, thought to be worth around £59 million.
What they did
Phishing is a particularly sneaky form of Internet scam that tries to trick people out of sensitive information, such as their online banking password or credit card details.
The phishing scam has three key steps:
1.*The victim receives an email pretending to be from their bank (or similar organisation), and encourages them to log into their account to rectify some kind of emergency, such as an extremely large, unexpected withdrawal.
2.*The victim clicks one of the links in the email and is taken to a website that looks just like their bank, but which is in fact owned and operated by the scammer.
3.*The victim logs into the spoof website with the online banking details. They then receive a message onscreen apologising for a false alarm. However, unbeknown to the victim, the scammer has saved those banking details ready to use to empty the victim’s bank account.
Caraman, Iorgovean and Etu were first identified by the Metropolitan Police Central e-Crime Unit (PCeU) after 2,600 websites designed to mimic banking websites were uncovered. The phishing operation in question was particularly sophisticated, with fake sites having been created to entrap victims in the UK, USA, China and Russia.
How they did it
The fake websites were actually just one part of the phishing scam. Among their many computer systems were discovered 70 million email addresses to whom the trio were sending phishing emails. The email addresses would have been harvested from stolen mailing lists, or collected by trawling social networks, forums and other websites using sophisticated software to identify and store contact details.
Further forensic investigation of the operation revealed that the scammers had already recorded some success. 30,000 individuals had already been tricked into divulging their online banking login details, with nearly half (12,500) coming from the UK.
The PCeU estimates that using the details already obtained, the trio of scammers stood to defraud banks of £59 million. With the exception of creating the fake websites and sending out 30,000 emails, the scammers just had to wait for unsuspecting Internet bankers to hand over their login details voluntarily.
Common phishing techniques
The most common form of phishing technique, as demonstrated by these particular scammers, is to try and trick people using fake banking websites.
This avenue of attack is popular for phishing because:
•*The message relates directly to the victim’s own wallet. They are led to believe that they are about to lose a lot of money, potentially causing them major financial problems.
•*The wording of the email implies a sense of urgency, advising the victim to log into their account now, or the consequences will be far greater. This makes the victim far more likely to click links without considering the wider implications.
•*Consumer bank websites are relatively easy for the scammer to copy when they create their own faked version.
However, phishing criminals do use other techniques to try and part victims from their personal data and money. Other potentially fraudulent emails include:
•*Her Majesty’s Revenue and Customs (HMRC, aka “The Tax Man”). An unexpected tax demand or refund that requires urgent action from the recipient.
•*A “friend” who is trapped abroad after losing their wallet and needs an urgent bank transfer to pay their hotel bill and arrange a flight home.
•*An email about a competition or prize draw that you have won. The victim will be encouraged to hand over their bank account details so that the prize can be transferred electronically.
Regardless of the actual words used, the goal is always the same:* to panic someone into visiting a website and handing over their login details before they can fully consider the implications of what they are doing.
How to protect yourself from phishing
So how can you protect yourself from falling victim to phishing emails and similar scams?
Here are our top tips:
1. *Check the email carefully
Because an email is the starting point of any phishing scam, you should check the text carefully to see if you can spot any of the following:
•*The email address looks strange. The name on an email may look normal, such as “Lloyds TSB Support”, but when you look closely at the address it probably won’t match up. You may see something like [email protected], [email protected] or even something completely unrelated, such as [email protected]. If the end of the email address doesn’t match your bank’s website, the email is probably fake.
•*The graphics look a bit off. Phishing emails do their best to look legitimate, often borrowing artwork from your bank’s website. However, you may find that logos are out of date, images have been poorly edited, or that the colour scheme of the email doesn’t match your bank’s branding correctly. If in doubt, delete the message.
•*Embedded links are wrong. When you hover your mouse pointer over the links and images in the email, the addresses displayed go to another website. Like the email address, you may see the links point to www.lloydstsb.x10.co.uk, when they should actually be pointing at http://www.lloydstsb.co.uk. Do not click these links!
•*Misspellings and poor grammar. English is often the second language of scammers, and it can show in the quality of writing in the email. If you receive an email purportedly from your bank, but that is filled with blatant spelling mistakes, you know it isn’t real.
2. *Check the website carefully
If the email is convincing and you do click through, there are some more things to check before you try and log in, to ensure the website isn’t fake.
•*Check the website address. Have a look at the website address in your browser bar. Does it match your bank’s usual website address? Is it definitely Halifax.co.uk, and not halifaxx.co.uk? If the address is wrong, so is the site.
•*Graphics and artwork. The scammers will do their very best to make their fake site look just like the real thing, but they may still make errors. Does the website look the same as usual? If not, then it’s probably fake.
•*Spelling and grammar. Just like the email you received, all spelling and grammar on the website should be perfect.
•*Missing SSL certificate. Every online bank account is protected by Secure Socket Layer (SSL) encryption, denoted by a padlock icon in the address bar, or sometimes in the status bar at the bottom of your browser window. You will also see that the website address begins https:// in the browser address bar too. If the padlock icon or https:// website address prefix are missing, the site is definitely fake.
•*Incorrect SSL certificate. Some scammers will install a fake SSL certificate on their server to pass the check above. With a fake SSL certificate, the https:// prefix and padlock will both be in place, but the website is still fraudulent. If you harbour any concerns about the authenticity of a site, click the padlock icon to view the certificate details. The address listed should match your bank’s head office. If not, the certificate and site are both fake.
3. *Use your common sense
One of the very best ways to avoid being scammed by phishing emails is to use your common sense. Whenever you receive an unexpected email from a business, person or government body, you should consider the following:
•*Does the message comply with my bank’s guidelines? Many banks do not email their customers, ever. Others, such as Smile, send clients a message to let them know that they have a “secure message” that can only be read by logging into their online account. None of these emails usually contain clickable links; instead you must type the bank’s website into the browser yourself.
•*Is my friend really on holiday? If you receive a request for financial assistance from a friend abroad ask yourself, are they really on holiday? You should also question the likelihood of anyone being robbed of their wallet, passport and phone and still being able to gain access to a computer to email you.
•*Would the Tax Man email me? Despite the best efforts of successive governments, HMRC remains heavily reliant on Royal Mail. Even if you are a sole trader and registered to complete your own tax returns, all important communications will still take place via printed letters in the post. HMRC will never send you urgent demands for tax repayments.
•*Did I enter that competition? The chances of winning a competition without actually entering it are virtually nil. Similarly unlikely is a competition organiser requesting bank account details to transfer prizes. If you do win something online, it will usually take the form of a printed cheque, or physical goods.
•*Does something feel wrong? If you receive an email that makes you feel suspicious, you should delete it. Get in touch with your bank via telephone to confirm whether there really is an issue or not. Alternatively, visit the organisation website directly; do not click any of the links in the email.
*
4.* Get some PC security in place
Along with these manual tests, you should also consider installing some PC security software. Modern antivirus software often includes mail filtering tools that can automatically detect and delete a lot of the phishing emails you receive, saving time and effort and reducing the chances of being scammed.
Anti-malware software will also help protect your computer in the event that you do click a link in a phishing email. Often, fake websites serve a dual purpose:* to steal your banking data, and to install software that can steal other personal data directly from your computer. Antivirus software will detect and remove this software, or prevent it from installing itself at all.
What to do if you encounter a phishing scam
If you do receive a phishing email, you should normally report the issue to the company being impersonated, then delete it. You should never click links in phishing emails.
•*Report the message to Action Fraud. Action Fraud is the official Police body responsible for investigating cybercrime. You can (and should) report any suspicious messages using the form on their website.
•*Report fake banking messages. Most banks encourage their customers to report scams directly by email.
Halifax: [email protected]
Lloyds TSB: [email protected]
NatWest: [email protected]
HSBC: [email protected]
Barclays: [email protected]
•*Report fake tax messages to HMRC. Fake emails should be forwarded directly to HMRC at [email protected]
As long as phishing remains profitable, criminals like Etu, Caraman and Iorgovean will continue to use these techniques to defraud people. However, using these guidelines, you can avoid becoming another statistic, and keep your money where it belongs – in your wallet!
More...